I was also hit hard by this bug after a recent upgrade from debian 8.x to debian 9.x.
Dovecot spams the following lines multiple times per second and my .gz compressed mbox archives do not appear to work properly over imap: Mar 3 18:37:28 hostname dovecot: imap(username): Panic: file istream-zlib.c: line 416 (i_stream_zlib_seek): assertion failed: (ret == -1) Mar 3 18:37:28 hostname dovecot: imap(username): Fatal: master: service(imap): child 2768 killed with signal 6 (core dumps disabled) It would appear that Dovecot 2.2.33 contains a likely fix, based on https://www.dovecot.org/doc/NEWS "mbox, zlib: Fix assert-crash when accessing compressed mbox" Stretch only contains 2.2.27, but there is a 2.2.33.2-1~bpo9+1 in stretch-backports. It looks like the stretch-backports package was last uploaded on 15 Nov 2017, so it probably does not contain the security fixes included in DSA-4130-1 which was published on 02 Mar 2018. Is there a chance that the "mbox,zlib" fix from 2.2.33 could be included in a later Debian 9.x point release? I'm not keen on running a backports package that does not appear to get timely security updates. In the meantime, I have disabled the zlib plugin and decompressed all .gz mboxes server-side. While this bug is a little unfortunate, thanks again for all the work you do on this package.
